Intel’s vPro technology has been around for quite a while now, and with every new processor generation they seem to always add more features under the vPro umbrella. For a comprehensive look at what is existing now, check out the vPro launch for Broadwell. With Skylake, Intel is trying to tackle the challenge of securing computers, and the need for complex passwords. Passwords are a big pain point in the enterprise because people don’t like to make difficult passwords, and sharing passwords can be a big problem. Social engineering and more complex attack vectors can render passwords the easiest way to get into a company’s data.

Intel is launching Intel Authenticate today, and it will require a 6th generation Intel Core processor with vPro. Authenticate will combine several factors of authentication into a single login, which, in theory, should be easier for the end user as well.

It works by combining “something you know”, which can be a PIN or password, along with “something you have”, which could be a smartphone, and “something you are”, which is biometrics. Once you include many factors, the complexity to lose all of them to the same person goes up quite a bit. The “something you know” can therefore be much easier, such as a PIN, or simple password, since that is not the defining key to the system. IT will be able to choose from multiple factors based on their own policy and preferences. Once configured, the factors are captured, encrypted, matched, and stored in hardware.

The user data never leaves the hardware, reducing the footprint for attack, and removing the chance of accidental misuse by employees. All of the authentication is then done at the hardware level once the user has matched the stored profile. The inclusion of biometrics, especially if they are based on Intel’s RealSense 3D camera systems, also adds in the possibility of having machines auto-lock when the person steps away.

Overall, this is similar to Windows Hello, except with more authentication factors and the resultant matching done on the CPU. There are advantages to this method, but one of the biggest disadvantages is that it will require Skylake class hardware and newer, so you can’t deploy it to older machines. Interestingly it is available on Windows 7, 8.1, and 10, despite Windows 7 and Skylake having a rough start together.

Intel tends to oversell the features of their CPUs and bury the potential risks real deep. Unfortunately I can't help but come to the conclusion that security is more and more elusive when pervasive backdoors are built into the hardware. Reply

THANK YOU for this link. That blog also has some amazingly prescient commentary (from 2013) about the SGX secure computing extensions now added to Skylake and going forward, pointing out that with or without Intel's knowing collusion with the NSA there are serious concerns ahead when these features are in all chips whether we want them or not... even if for a small niche of applications they may be useful. Having been treated here somewhat as a tinfoil-hatter for suggesting this in the SGX article comments, and for predicting the rise of SGX-using malware that cannot be disassembled and debugged (or possibly even detected) even by the AV companies, it's good to see that I'm not the only one worried by this. I reckon I'll be sticking with Haswell-E. :(Reply

"One aspect still presents a serious security challenge on x86 platform: the boot security. Intel has introduced many competing and/or complementary technologies which are supposed to solve the problem of boot security: support for TPM and TXT, support for SMM sandboxing, finally Boot Guard and UEFI Secure Boot. Unfortunately, as we have seen in the first chapter, none of these technologies seem satisfactory, each introducing more potential problems than it might be solving.

Finally, the Intel Management Engine (ME) technology, which is now part of all Intel processors, stands out as very troublesome, as explained in one of the chapters above. Sadly, and most depressingly, there is no option for us users to opt-out from having this on our computing devices, whether we want it or not. The author considers this to be probably the biggest mistake the PC industry has gotten itself into (that she has ever witnessed)."Reply

"We have seen that Intel ME is potentially a very worrisome technology. We cannot know what’s really executing inside this co-processor, which is always on, and which has full access to our host system’s memory. Neither can we disable it."Reply

I was having some intel management engine issues on my computer recently. Is this what Intel ME is? PC would boot really slowly while it was enabled in device manager. Had some power failure issue. Had to disable it (the device listed in device manager)Reply

Biometrics are actually very insecure. If someone puts his effort into compromising your account, he could easily swipe your fingerprint and create a replica without you even knowing. The big move in the industry to support biometrics has nothing to do with security and everything to do with selling that data to the highest bidders.Reply